CVE-2025-22953CRITICAL 9.8EPSS p69.1%

CVE-2025-22953CVE-2025-22953

Description

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.41% probability of exploitation · percentile 69.1% · 2026-06-18T12:00:27Z
Published2025-03-28
Last modified2025-04-15

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/maliktawfiq/CVE-2025-22953
  2. https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904?pvs=4
  3. https://www.epiusers.help/t/alert-hcm-security-patch/124777

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-22992
CVE
CVE-2026-8111
CVE
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
CVE
CVE-2025-27617
CVE
CVE-2025-70981
CVE
CVE-2025-10969
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.